From 4272da4e9e2ab9c99b4b9897f04c92cd7987cb8b Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@prodromou.name>
Date: Fri, 29 Aug 2008 01:11:04 -0400
Subject: [PATCH] CSRF protection for subscription/unsubscription

darcs-hash:20080829051104-84dde-9bd23c28c2c8a720046060a33ff3e5f246c47116.gz
---
 actions/showstream.php  | 2 ++
 actions/subscribe.php   | 9 +++++++++
 actions/unsubscribe.php | 9 +++++++++
 3 files changed, 20 insertions(+)

diff --git a/actions/showstream.php b/actions/showstream.php
index 29ff58a594..7b41b8514e 100644
--- a/actions/showstream.php
+++ b/actions/showstream.php
@@ -179,6 +179,7 @@ class ShowstreamAction extends StreamAction {
 	function show_subscribe_form($profile) {
 		common_element_start('form', array('id' => 'subscribe', 'method' => 'post',
 										   'action' => common_local_url('subscribe')));
+		common_hidden('token', common_session_token());
 		common_element('input', array('id' => 'subscribeto',
 									  'name' => 'subscribeto',
 									  'type' => 'hidden',
@@ -200,6 +201,7 @@ class ShowstreamAction extends StreamAction {
 	function show_unsubscribe_form($profile) {
 		common_element_start('form', array('id' => 'unsubscribe', 'method' => 'post',
 										   'action' => common_local_url('unsubscribe')));
+		common_hidden('token', common_session_token());
 		common_element('input', array('id' => 'unsubscribeto',
 									  'name' => 'unsubscribeto',
 									  'type' => 'hidden',
diff --git a/actions/subscribe.php b/actions/subscribe.php
index 71452e46cc..8bb723799c 100644
--- a/actions/subscribe.php
+++ b/actions/subscribe.php
@@ -36,6 +36,15 @@ class SubscribeAction extends Action {
 			return;
 		}
 
+		# CSRF protection
+
+		$token = $this->trimmed('token');
+		
+		if (!$token || $token != common_session_token()) {
+			common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
+			return;
+		}
+
 		$other_nickname = $this->arg('subscribeto');
 
 		$result=subs_subscribe_user($user, $other_nickname);
diff --git a/actions/unsubscribe.php b/actions/unsubscribe.php
index 5814c37bda..e0392413d9 100644
--- a/actions/unsubscribe.php
+++ b/actions/unsubscribe.php
@@ -33,6 +33,15 @@ class UnsubscribeAction extends Action {
 			return;
 		}
 
+		# CSRF protection
+
+		$token = $this->trimmed('token');
+		
+		if (!$token || $token != common_session_token()) {
+			common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
+			return;
+		}
+
 		$other_nickname = $this->arg('unsubscribeto');
 		$result=subs_unsubscribe_user($user,$other_nickname);
 		if($result!=true) {